A recent decision from the British Columbia Supreme Court in  Clearview AI Inc. v. Information and Privacy Commissioner for British Columbia, 2024 BCSC 2311, serves as a warning to international organizations that they will be subject to Canadian privacy regulations if they are collecting, using and/or disclosing the personal information of Canadians.

Case summary

Clearview challenged an order issued by the British Columbia Information and Privacy Commissioner, unsuccessfully arguing that the Privacy Commissioner did not have jurisdiction over it as a US-based company. Clearview’s business is providing government and law enforcement agencies with facial recognition search engine services. For a review of obligations relating to data scraping, see here.

The Order was issued in relation to Clearview having collected images and associated data of Canadians, including residents of British Columbia.  The Order prohibited Clearview from offering its facial recognition services, which used biometric information collected from individuals in British Columba without their consent ─ to clients in British Columbia. It also required Clearview to make “best efforts” to stop collecting the biometric data without consent and to delete the data it had collected.

The Supreme Court of British Columbia affirmed that the British Columbia Personal Information Protection Act (PIPA) applied to Clearview and that a ‘real and substantial connection’ to British Columbia existed. The Court noted that privacy legislation governing the online activity raises unique considerations. The Court rejected as too narrow Clearview’s emphasis on the physical location of employees, offices and services outside of British Columbia. Instead, the Court focused on the fact that Clearview was collecting, using and disclosing personal information from individuals in British Columbia through social media websites.

The Court emphasized the importance of PIPA’s protection of people in British Columbia to control their personal information, given the “ubiquitous presence of the internet and the profoundly intrusive impact it has on our daily lives” [para. 97].  

Key takeaways

Privacy regulation is increasingly cross-border in nature and organizations should be prepared to comply with privacy law requirements beyond their ‘home’ jurisdiction. In British Columbia, best practices for privacy compliance include:

  • Ensuring all privacy policies and retention guidelines comply with the requirements of PIPA and are updated regularly to address any new collection, uses or disclosures of personal information.
  • Having a process in place to respond effectively to an access for information request (in British Columbia, individuals have a right to request access to their personal information from your organization).
  • Collecting, using and disclosing personal information only for purposes that a reasonable person would consider appropriate in the circumstances and, unless an exception clearly applies, with meaningful consent from the individual.

For more information on this topic, please contact the authors, Kelly Osaka or Victoria Merritt or any member of Dentons’ Privacy group.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Kelly Osaka

About Kelly Osaka

Kelly Osaka is a member of the Litigation and Dispute Resolution group and the Privacy and Cybersecurity practice group. In particular, her practice focuses on shareholder disputes, class actions, privacy law claims and regulatory investigations. Kelly has appeared as counsel before all levels of court in Alberta and British Columbia, as well as the Alberta Securities Commission, the Investment Industry Regulatory Organization of Canada, and the Office of the Information and Privacy Commissioner.

Full bio

Victoria Merritt

About Victoria Merritt

Victoria Merritt is a senior associate in the Employment and Labour group in Dentons’ Vancouver office. She has diverse experience advising clients on managing all aspects of employment matters. She provides direct, practical advice with a focus on risk management and early conflict resolution.

RELATED POSTS